Thursday, December 8, 2016

Cyber Updates - 08/12

Hey all,

Today I’d like to introduce you to Stegano - a new
exploit kit that was recently in use by malicious ads.

The exploit kit uses MS16-037 (a vulnerability for I.E.) to
check if it runs on a malware analysis system. Based on server-side logic, the
target is then served either a clean image or a malicious one: a script encoded
in its alpha channel (which defines the transparency of each pixel). The script
then redirects the user to another URL which attempts to exploit 3 different
vulnerabilities for Flash (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117),
depending on the victim’s Flash version.

The attached image illustrates the attack.

What is interesting to note is that the exploit creators did
not want it to be discovered. As such, the malware is not executed if one of
the following processes/modules is running on the system:

•vmtoolsd.exe

•VBoxService.exe

•prl_tools_service.exe

•VBoxHook.dll

•SBIEDLL.DLL

•fiddler.exe (luckily for
us, they also check if the tool is installed, so all Comsec’s consultants are
in the clear )

Comsec Group Blog

Comsec Group, founded in 1987, is a pioneering market leader, providing all-inclusive Cyber and Information Security services to clients around the globe. Our mission is to serve our clients as trusted advisors, by securing their information and operational assets, ensuring the achievement of their business goals.